From 68b2315d44b8df80d87b9fd050fe21aeea144c8f Mon Sep 17 00:00:00 2001
From: Instrumental <jonathan.gathman@att.com>
Date: Tue, 1 May 2018 15:03:25 -0500
Subject: Update Certificate for all FQDNs

Issue-ID: AAF-114
Change-Id: I0b73d55b471e0438bb4beb901a992be88e1e5f11
Signed-off-by: Instrumental <jonathan.gathman@att.com>
---
 conf/CA/manual.sh | 36 +++++++++++++++++++++++++++++++-----
 conf/CA/san.conf  | 15 +++++++++++++++
 2 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 conf/CA/san.conf

(limited to 'conf/CA')

diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
index 7b75fbc9..00a23ec8 100644
--- a/conf/CA/manual.sh
+++ b/conf/CA/manual.sh
@@ -13,10 +13,30 @@ else
   FQDN=$1
   NAME=$FQDN
   shift
+
+  echo "Enter any SANS, delimited by spaces: "
+  read SANS
+fi
+
+# Do SANs
+if [ "$SANS" = "" ]; then
+   echo no SANS
+    if [ -e $NAME.san ]; then 
+      rm $NAME.san
+    fi
+  else
+   echo some SANS
+    cp ../san.conf $NAME.san
+    NUM=1
+    for D in $SANS; do 
+        echo "DNS.$NUM = $D" >> $NAME.san
+	NUM=$((NUM+1))
+    done
 fi
+
 echo $SUBJECT
 
-if [ -e $FQI.csr ]; then
+if [ -e $NAME.csr ]; then
   SIGN_IT=true
 else 
   if [ "$1" = "-local" ]; then
@@ -46,13 +66,19 @@ fi
 
 if [ "$SIGN_IT" = "true" ]; then
   # Sign it
-  openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+  if [ -e $NAME.san ]; then
+    openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
 	-cert certs/ca.crt -keyfile private/ca.key \
 	-policy policy_loose \
 	-days 360 \
+	-extfile $NAME.san \
 	-infiles $NAME.csr
+  else 
+    openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+	-cert certs/ca.crt -keyfile private/ca.key \
+	-policy policy_loose \
+	-days 360 \
+	-infiles $NAME.csr
+  fi
 fi
 
-
-
-
diff --git a/conf/CA/san.conf b/conf/CA/san.conf
new file mode 100644
index 00000000..de9f62f9
--- /dev/null
+++ b/conf/CA/san.conf
@@ -0,0 +1,15 @@
+# SAN Extension
+# Copy, then add DNS.1 = name, etc
+#
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
-- 
cgit 1.2.3-korg